Upgrade bundled dependencies with recent security patches - jszip

[hedsnz]

I was prompted to look at the source code of rJava when I got an alert for a vulnerability in one of the bundled JavaScript packages jszip. (Upstream merge with fix: Stuk/jszip#813) This is apparently at rJava/inst/javadoc/jquery/jszip/dist/jszip.js (+ minified etc.).

When I download the package source from https://cran.r-project.org/web/packages/rJava/index.html, jszip is indeed included at rJava/javadoc/jquery/jszip. However, jszip doesn't appear to be referenced anywhere in this repo. I'm guessing it's brought in by mkdist when it runs make javadoc (?).

If that's the case, is there any way to incorporate an upgraded version of jszip into rJava?

Thanks

Edit - here's another vulnerability identified in jszip before 3.7.0: https://nvd.nist.gov/vuln/detail/CVE-2021-23413. The version packaged in rJava is 3.2.1.

[s-u]

I'm not sure how this is related to rJava. When you refer to are merely static JavaDoc files, so this doesn't seem to be relevant in any way (the CVEs are about other code using the JS library, but not static content). If you think there is an actual issue, please provide details how exactly you think this affects rJava.

[hedsnz]

I think you're correct that the specific vulnerability with jszip is not exploitable via rJava. However, if rJava continues to bundle a vulnerable version of jszip, it will continue to trigger vulnerability alerts (regardless of practical relevance). These alerts can be difficult to navigate in an organisational environment with automated vulnerability scanning. In the best case, they create a headache for end users; and in the worst case, they could see people blocked from using rJava entirely.

(It takes time and expertise to look at a vulnerability, look at the source code, and decide whether or not it's relevant -- blocking the package is likely to be the path of least resistance for some security teams. I don't agree with this approach, but it is the reality unfortunately.)

So my suggestion is to use a distribution of javadoc that includes a patched version of jszip (e.g., what appears to have happened here newrelic/newrelic-java-agent#723).

Of course, I'm happy for you to close this issue if you do not think this is necessary, and are comfortable with these alerts.

[s-u]

I see what you mean, that makes sense (I'm well aware of the futility of fighting corporate bureaucracy with reason - been there, done that, have the scars ;)).

It's just not entirely clear to me how to upgrade jszip alone. The link you posted just forces toolchains, but doesn't make any change. I suppose just running JavaDoc from a more recent JDK may do the trick? Unfortunately newer JDKs can't build for the targets we want, though. Perhaps an easier solution is to simply remove JavaDocs from the package - if someone wants the Java-side developer documentation, they can simply run make javadoc themselves, it's not used by the package itself.

[hedsnz]

Yeah, removing JavaDocs sounds like the easiest solution to me. Sorry, I would chip in with a PR but this is really not my area! Thanks for looking into this, I appreciate it.